Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:47 AM
Connect Directly

Q&A: What to Do About Web 2(.0)

In an exclusive interview, Imperva co-founder talks Web 2.0 security risks, protection strategies, and how end-user education is a waste of time

Everyone's talking about Web 2.0 security. But what can you really do about it? In an exclusive interview, Amichai Shulman, co-founder and CTO of Imperva and one of the Web's most widely-recognized security researchers, spoke with Dark Reading senior editor Kelly Jackson Higgins about the emerging risks in Web 2.0, and how organizations can protect themselves.

Figure 1:
Amichai Shulman, co-founder and CTO, Imperva

DR: In the spirit of Web 2.0 security education, let's define the term "Web 2.0," which seems to be a moving target sometimes. How do you define these types of applications?

Shulman: We've [Imperva's Application Defense Center research group] identified three major Web 2.0 terms. The first is rich interface applications, which everyone calls Ajax, but there are other technologies involved in this... sometimes flash, etc. These make Web apps more user-friendly and GUI-oriented, so there's less clicking.

The second is RSS, which is now evolving into mashups, and all this stuff. The third area is user participation -- the server-side technology, and a behavior where users build up the content and destruction of Web apps, like YouTube, MySpace, LinkedIn, etc.

DR: Where among these types of Web 2.0 apps have you witnessed security threat activity?

Shulman: We've seen Ajax-enriched and user-participation type applications [targeted]. There have been some threats to mashups, but those are more client-side related threats, not in the scope of Web apps security. With a lot of application logic moving toward clients, the line between the client and server side is blurring... We're seeing all types of threats coming back in.

DR: What's the nature of the security problem with the Web 2.0 model?

Shulman: Things related to bad session management, given that access control is on the client side rather than at the server side. The same old threats here are coming back, and are stronger, because programmers are putting security logic on the client side and leaving the server vulnerable. This is a larger attack surface.

Because this type of app is composed of much smaller modules, each having a specific function, it needs to be secured, and the probability of having an unsecured module rises... And with Ajax, an administrator doesn't see the URL generated by your client app. Everything happens behind the scenes... It becomes really hard to understand the logic and structure you have to protect.

It's not that Web 2.0 is introducing new vulnerabilities, but making app security harder to implement.

DR: So what specific vulnerabilities can these applications have?

Shulman: We're seeing more session management issues... An unauthenticated client can join the access-protected areas of the server. Forceful browsing to bypass authentication is probably the most common of the [session management-type] attacks.

Basically, the attackers are subverting the application logic but not following the flow as was intended by the programmers. SQL injection is big, as is parameter-tampering. Other types of threats are cross-site scripting [XSS], cross-site request forgery [CSRF]. XSS happens when the client-side logic regards information from the server as something that should be executed... While XSS existed before Ajax apps, it has become more common with them. The same goes for user-participation type apps. The more users affect the content of the site and are able to put JavaScript into the site, the more mobile code can be executed on the client side.

DR: What recent attacks best illustrate the Web 2.0 security threat?

Shulman: The most famous incident was the Samy worm in MySpace. And there was a Gmail XSS and CRSF vulnerability that abused some Google capabilities.

DR: What technologies today can help protect organizations from Web 2.0-based attacks?

Shulman: For the past two years, the way to protect Web apps has been with Web app firewalls. But can they handle the threat scenarios of Web 2.0?

DR: Not all WAFs are equipped for this. What features do they need?

Shulman: They [need to] mitigate session management, parameter-tampering, cookie-tampering, which our products do. We [Imperva] also have a strong XSS and CSRF engine, and a profiling engine, so you don't have to know your app in order to protect it.

DR: Should end users be taking some of the responsibility for security with these apps?

Shulman: I don't believe in user education. I spent my first few years [in this industry] trying to educate users in the military on security... That should be easier, but it never worked. There's not much you can do with user education.

DR: What are some best practices you recommend for mitigating Web 2.0 attacks?

Shulman: This should be a high priority for anyone launching Web-based apps in the next two years.

Always have your security logic on the server. Sanitize user input prior to use. Augment your internal application security with an external Web application firewall.

Input sanitation is probably the most prominent of all. That is, remove from user input any characters that are not expected per that specific input. But although this is a key mitigation technique, it is hard to implement in real-world applications, where you have thousands of input fields with different characteristics.

Another key mitigation technique is proper session management using session cookies with a random value.

I think application owners need to be sure apps are safe, and not vulnerable to XSS and CSRF and that they have proper session management. They can do this by building better apps, which is hard, or by using Web application firewalls.

And 50 percent of the solution is understanding the problem.

Imperva tomorrow will announce a free March 14 Webinar on best practices for Web 2.0 applications, plus a free White Paper that spells out the specific vulnerabilities and how to prevent falling victim to them.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Imperva Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/2/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-02
    Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
    PUBLISHED: 2020-07-02
    A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.